FYI: configured GAE + Shibb IdP + Google MFA push

IAM David Bantz db at
Mon Oct 14 16:42:12 EDT 2019

2FA for email is a management priority, so IdP first factor and Google's
2nd factor addresses that specific priority.

That holds out hope for SSO via single IdP deploying 2FA for Google for
entire UA via Google's 2FA and Duo, selectively, for vastly smaller number
of high risk accounts or services. While not ideal, the alternative (which
may still be what is deployed) is Google authentication and 2FA for Google
apps, Shibb IdP for others, most of which are not 2FA protected.


On Mon, Oct 14, 2019 at 12:25 PM Michael A Grady <mgrady at> wrote:

> So as long as the only thing you want 2nd factor for is Google’s own
> services, that will work. Is that all you needed it for?
> Sent from my iPhone
> On Oct 14, 2019, at 3:08 PM, IAM David Bantz <dabantz at> wrote:
> FWIW, I was able to set up our "proof of concept" domain
> to use our regular Shibb IdP for authentication and then turn on Google's
> 2nd factor authN for my account. (So the sequence is go to Google, sign in
> to which redirects to UA IdP, then upon successful authn
> and relay to Google, Google pushes prompt for 2nd factor to the Google app
> on my phone.)
> David
> ------------------------------
> This email has been scanned for spam and viruses by Proofpoint Essentials.
> Click here
> <>
> to report this email as spam.
> =
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list