FYI: configured GAE + Shibb IdP + Google MFA push

David Langenberg davel at
Tue Oct 15 11:08:12 EDT 2019

I’m a tad confused, over here we have IdP + Duo -> Google and it seems to do what we want (2FA to get access).  Where is the gap that led you to instead go this route?


David Langenberg
Asst Director, Identity Management
The University of Chicago

From: users <users-bounces at> On Behalf Of IAM David Bantz
Sent: Monday, October 14, 2019 3:42 PM
To: Michael A Grady <mgrady at>
Cc: Shib Users <users at>
Subject: Re: FYI: configured GAE + Shibb IdP + Google MFA push

2FA for email is a management priority, so IdP first factor and Google's 2nd factor addresses that specific priority.

That holds out hope for SSO via single IdP deploying 2FA for Google for entire UA via Google's 2FA and Duo, selectively, for vastly smaller number of high risk accounts or services. While not ideal, the alternative (which may still be what is deployed) is Google authentication and 2FA for Google apps, Shibb IdP for others, most of which are not 2FA protected.


On Mon, Oct 14, 2019 at 12:25 PM Michael A Grady <mgrady at<mailto:mgrady at>> wrote:
So as long as the only thing you want 2nd factor for is Google’s own services, that will work. Is that all you needed it for?

Sent from my iPhone

On Oct 14, 2019, at 3:08 PM, IAM David Bantz <dabantz at<mailto:dabantz at>> wrote:

FWIW, I was able to set up our "proof of concept" domain<;!pWSdj_w3qx0ASw!snpLahpAbueoNopQBVenpq0hFO73MDR8msxpZzZOg_sgWb_7yheXNVR3wXXemrhQeA$> to use our regular Shibb IdP for authentication and then turn on Google's 2nd factor authN for my account. (So the sequence is go to Google, sign in to<;!pWSdj_w3qx0ASw!snpLahpAbueoNopQBVenpq0hFO73MDR8msxpZzZOg_sgWb_7yheXNVR3wXXemrhQeA$> which redirects to UA IdP, then upon successful authn and relay to Google, Google pushes prompt for 2nd factor to the Google app on my phone.)



This email has been scanned for spam and viruses by Proofpoint Essentials. Click here<*;JQ!pWSdj_w3qx0ASw!snpLahpAbueoNopQBVenpq0hFO73MDR8msxpZzZOg_sgWb_7yheXNVR3wXXBgSX-Sg$> to report this email as spam.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list