FYI: configured GAE + Shibb IdP + Google MFA push
IAM David Bantz
db at alaska.edu
Mon Oct 14 16:42:12 EDT 2019
2FA for email is a management priority, so IdP first factor and Google's
2nd factor addresses that specific priority.
That holds out hope for SSO via single IdP deploying 2FA for Google for
entire UA via Google's 2FA and Duo, selectively, for vastly smaller number
of high risk accounts or services. While not ideal, the alternative (which
may still be what is deployed) is Google authentication and 2FA for Google
apps, Shibb IdP for others, most of which are not 2FA protected.
David
On Mon, Oct 14, 2019 at 12:25 PM Michael A Grady <mgrady at unicon.net> wrote:
> So as long as the only thing you want 2nd factor for is Google’s own
> services, that will work. Is that all you needed it for?
>
>
> Sent from my iPhone
>
> On Oct 14, 2019, at 3:08 PM, IAM David Bantz <dabantz at alaska.edu> wrote:
>
>
> FWIW, I was able to set up our "proof of concept" domain poc.alaska.edu
> to use our regular Shibb IdP for authentication and then turn on Google's
> 2nd factor authN for my account. (So the sequence is go to Google, sign in
> to poc.alaska.edu which redirects to UA IdP, then upon successful authn
> and relay to Google, Google pushes prompt for 2nd factor to the Google app
> on my phone.)
>
> David
>
>
>
>
> ------------------------------
>
> This email has been scanned for spam and viruses by Proofpoint Essentials.
> Click here
> <https://us2.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1571083701-yfT2ankqrNdh&r_address=mgrady%40unicon.net&report=1>
> to report this email as spam.
>
> =
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191014/5e54844e/attachment.html>
More information about the users
mailing list