Shibb IdP, Google Apps, Google MFA (Authenticator)

Tony Skalski ajs at
Mon Oct 14 11:06:00 EDT 2019

One could front the IdP with a reverse proxy that uses mod-openidc pointing
to Google and use the RemoteUser flow.

On Fri, Oct 11, 2019 at 5:48 PM Greg Haverkamp <gahaverkamp at> wrote:

> There isn't (currently) a good way to do it, at least so far as I'm
> aware.  I go hunting every now and then.  The project that you're
> referencing allows you to use Google Authenticator (the app), not Google's
> MFA _services_.  It does it by storing OATH token secrets on its own.
> (Similarly, if you're just looking for an OTP solution, we run LinOTP
> integrated with Shibboleth, and someone else has posted here that they use
> PrivacyIDEA -- a fork of LinOTP -- with Shibboleth).
> I did have my deputy CIO contact me not long ago after someone posted to
> an EDUCAUSE list that they were doing it.  From what I could tell, they
> (Wake Forest) are fronting the Shibboleth IdP with the Shibboleth SP, and
> they've got that SP configured with Google's SAML IdP.  So, basically,
> they're doing external authentication using Google.  (i.e., not just MFA;
> they've delegated all authentication, including look-and-feel, to Google.)
> That said, Google Cloud Platform's Identity Platform product (which is
> _not_ Google Cloud Identity) promises two-factor "coming soon".  Identity
> Platform makes available a RESTful API that can be called to perform
> authentication, which should allow it to be offloaded.  It would require
> replicating accounts to Identity Platform, and it's not yet clear what
> "two-factor" will mean.  I've asked my Google liaisons, who have weekly
> meetings with our Google reps, to ask.  I figure they might do some widget
> sort of thing like Auth0 or Firebase (since that's where it appears to come
> from) or something, but I don't know.
> Greg
> On Fri, Oct 11, 2019 at 3:36 PM IAM David Bantz <dabantz at>
> wrote:
>> Has anyone has found a good way to use Google's MFA for Google Apps with
>> institutional SSO (IdP)?
>> My mail admins tell me that Google MFA cannot be used with SSO; if so
>> that seems a choice rather than any fundamental issue.
>> I see a 4-year old reference to Google authenticator authentication
>> module for Shibboleth IdP v3
>> but did not see
>> updates or indication of adoption as a strategy.
>> (Yes, we have Duo integration with our Shibb IdP, but we're not able to
>> license Duo for all students.)
>> David Bantz
>> --
>> For Consortium Member technical support, see
>> To unsubscribe from this list send an email to
>> users-unsubscribe at
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at

*Tony Skalski*
System Administrator | IT

*Office: *507-786-3227 <(507)786-3227>
1510 St. Olaf Avenue Northfield, MN 55057
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list